ESXI-06-000048 - The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

Information

The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration.
vMotion traffic must be sequestered from production traffic on an isolated network. This network must be non-routable to other systems preventing outside access to the network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a standard switch do the following:

From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the vMotion VMkernel select Properties. Select the vMotion VMkernel and click Edit >> On the General tab uncheck everything but 'vMotion' and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CAT|II, CCI|CCI-002418, Group-ID|V-63265, Rule-ID|SV-77755r1_rule, STIG-ID|ESXI-06-000048, Vuln-ID|V-63265

Plugin: VMware

Control ID: 152346c2715679cfc0a836ae7e29451a85175ce588da80efce99cf9dbc98a082